The technology company Accellion based in Palo Alto, CA offered an $8.1 million settlement to handle a class action data breach legal action that was submitted on behalf of affected individuals of the attack on the Accellion File Transfer Appliance (FTA) in December 2020.
The Accellion FTA is a legacy software that is utilized for safely transmitting files that are too big to be sent by using email. The Accellion FTA was utilized for over 20 years and reached its end of life. Its support program was over on April 30, 2021. Accellion had made another platform, Kiteworks, and customers were prompted to transition from the legacy solution; nonetheless, a substantial number of businesses were continually making use of the FTA solution when the cyberattack happened.
In December 2020, two formerly unheard of Advanced Persistent Threat (APT) groups associated with FIN11 and the CLOP ransomware group exploited unresolved vulnerabilities in the Accellion FTA, obtained access to the information of its clients, and exfiltrated a considerable volume of files. Subsequent to the breach, four vulnerabilities connected with the breach were exposed and given CVEs.
The breach impacted Accellion customers such as banks, law agencies, colleges, and medical care establishments. Lots of the records that belong to healthcare companies comprised sensitive patient and health plan member details. Healthcare companies affected by the breach consist of
- Arizona Complete Health
- Community Health Plan
- Health Employees’ Pension Plan
- CalViva Health
- Health Net of California
- Health Net Community Solutions
- California Health & Wellness
- Trinity Health
- Trillium
- Stanford University School of Medicine
- Kroger
- The University of California
- University of Miami Health
Right after the attack, various lawsuits were filed against Accellion and its clients as a result of the data breach. The class-action lawsuit versus Accellion claimed the company didn’t use and retain proper data security strategies to secure the sensitive records of its clients, did not determine the Accellion FTA’s security vulnerabilities, did not make known its security procedures were insufficient, and was unable to avert the data breach. Due to the attack, highly sensitive data was compromised, such as names, contact data, birth dates, medical information, driver’s license numbers, and Social Security numbers.
Accellion dismissed all of the accusations in the legal action and does not accept liability for the information breach. The firm stated in the settlement that it’s not accountable for managing, making updates, and preserving clients’ instances of the FTA program. Accellion furthermore mentioned it does not acquire any client data, doesn’t access the information of files shared or stored using the FTA service, and gave no warranties to customers that the FTA software was risk-free.
It is not clear how many people will be included by the settlement, although the number is surely above 9.2 million persons. Accellion will make an effort to get updated contact details for those people so as to distribute notices of the offered settlement. The planned settlement comes with a cash fund of $8.1 million to take care of claims, notices, administration fees, and service awards to impacted clients of the Accellion FTA. $4.6 million of the $8.1 million funds will be delivered in 10 days, while the rest will be given within 10 days of the negotiation approval.
Impacted persons will be allowed to sign up for two years of three-bureau credit monitoring and insurance services, collect compensation for documented losses of as much as $10,000, or obtain a cash payment, which is anticipated to be approximately $15 – $50. Accellion will likewise fully cease using the Accellion FTA and make a move to make sure the safety of its alternative Kiteworks software. Those steps include enhancing its bug bounty program, using FedRAMP certification, assigning people in charge of cybersecurity, giving cybersecurity training to its staff, and having regular examinations to verify continued adherence to the cybersecurity guidelines stated in the settlement deal.
The offered settlement will resolve all claims against Accellion exclusively. There are some other lawsuits and settlements versus customers affected by the data breach. The supermarket business Kroger has offered a $5 million settlement to take care of lawsuits submitted on behalf of the 3.8 million personnel and consumers impacted by the cyberattack.
